Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe

Overview

General Information

Sample name:17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe
Analysis ID:1585883
MD5:506987876a3908a73a4ec4cf833b2d10
SHA1:5ee1f2493856ab91825da0bdbf79137c3d3b444a
SHA256:b27eff9adc64ac2a4f6d56c592d5e9de6df5f1b2f33a49a8e915fd0997723e27
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["87.120.116.179"], "Port": 1300, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeJoeSecurity_XWormYara detected XWormJoe Security
    17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exerat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
    • 0x6417:$str01: $VB$Local_Port
    • 0x6408:$str02: $VB$Local_Host
    • 0x670c:$str03: get_Jpeg
    • 0x60c7:$str04: get_ServicePack
    • 0x714e:$str05: Select * from AntivirusProduct
    • 0x734c:$str06: PCRestart
    • 0x7360:$str07: shutdown.exe /f /r /t 0
    • 0x7412:$str08: StopReport
    • 0x73e8:$str09: StopDDos
    • 0x74ea:$str10: sendPlugin
    • 0x7696:$str12: -ExecutionPolicy Bypass -File "
    • 0x77bf:$str13: Content-length: 5235
    17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x7a2c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x7ac9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x7bde:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x76da:$cnc4: POST / HTTP/1.1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1652628694.0000000000432000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.1652628694.0000000000432000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x782c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x78c9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x79de:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x74da:$cnc4: POST / HTTP/1.1
      00000000.00000002.4115104583.00000000027B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
        Process Memory Space: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe PID: 2784JoeSecurity_XWormYara detected XWormJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe.430000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            0.0.17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe.430000.0.unpackrat_win_xworm_v3Finds XWorm (version XClient, v3) samples based on characteristic stringsSekoia.io
            • 0x6417:$str01: $VB$Local_Port
            • 0x6408:$str02: $VB$Local_Host
            • 0x670c:$str03: get_Jpeg
            • 0x60c7:$str04: get_ServicePack
            • 0x714e:$str05: Select * from AntivirusProduct
            • 0x734c:$str06: PCRestart
            • 0x7360:$str07: shutdown.exe /f /r /t 0
            • 0x7412:$str08: StopReport
            • 0x73e8:$str09: StopDDos
            • 0x74ea:$str10: sendPlugin
            • 0x7696:$str12: -ExecutionPolicy Bypass -File "
            • 0x77bf:$str13: Content-length: 5235
            0.0.17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe.430000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x7a2c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x7ac9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x7bde:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x76da:$cnc4: POST / HTTP/1.1

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-08T12:42:15.976511+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:42:18.840759+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:42:29.750749+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:42:43.554334+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:42:48.837995+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:42:57.313061+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:43:06.704387+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:43:09.378168+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:43:16.781972+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:43:18.859879+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:43:19.689665+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:43:33.491176+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:43:35.780030+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:43:35.906697+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:43:45.830562+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:43:45.999137+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:43:48.853468+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:43:56.555480+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:43:59.425000+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:01.734823+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:03.891133+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:08.251131+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:17.094719+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:18.847889+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:21.859598+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:25.829593+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:26.953517+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:39.893258+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:40.979242+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:40.980183+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:40.980314+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:40.980631+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:42.203629+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:43.985726+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:48.871998+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:54.134629+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:04.529450+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:04.641734+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:07.766514+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:08.467022+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:09.022136+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:10.284382+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:10.378004+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:10.471389+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:15.944543+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:16.060212+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:16.153471+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:16.246792+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:17.362645+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:18.857506+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:26.630233+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:26.630478+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:27.158005+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:28.862246+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:33.326770+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:38.422408+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:42.486325+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:42.582624+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:47.252720+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:48.842491+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:49.061135+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:52.672281+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:53.532837+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:57.829595+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:57.923639+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:58.017084+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:46:03.000817+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:46:03.582731+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:46:05.115458+010028528701Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-08T12:42:16.036018+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:42:29.752522+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:42:43.556711+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:42:57.315192+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:43:06.706840+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:43:09.380816+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:43:16.789547+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:43:19.691865+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:43:33.556679+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:43:35.786760+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:43:35.912007+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:43:45.832622+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:43:46.001359+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:43:56.580305+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:43:59.445801+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:44:01.755076+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:44:03.893711+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:44:08.253314+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:44:17.097907+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:44:21.862692+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:44:25.851923+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:44:26.955787+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:44:39.896453+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:44:40.981388+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:44:42.205450+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:44:43.987899+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:44:54.139484+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:04.532556+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:04.643625+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:07.768250+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:08.481228+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:09.024816+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:10.286351+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:10.379637+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:10.473336+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:15.946406+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:16.061817+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:16.155225+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:16.248382+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:17.367103+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:26.636800+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:27.173554+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:28.866943+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:33.329331+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:38.424618+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:42.488888+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:42.584840+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:47.259034+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:52.681561+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:53.541560+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:57.831861+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:57.925465+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:58.018502+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:58.111497+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:45:58.116301+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:46:03.005568+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:46:03.584643+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            2025-01-08T12:46:05.120593+010028529231Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-08T12:42:18.840759+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:42:48.837995+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:43:18.859879+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:43:48.853468+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:18.847889+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:44:48.871998+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:18.857506+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:48.842491+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            2025-01-08T12:45:49.061135+010028528741Malware Command and Control Activity Detected87.120.116.1791300192.168.2.449731TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-08T12:44:39.827635+010028531931Malware Command and Control Activity Detected192.168.2.44973187.120.116.1791300TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeAvira: detected
            Found malware configuration
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeMalware Configuration Extractor: Xworm {"C2 url": ["87.120.116.179"], "Port": 1300, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}
            Multi AV Scanner detection for submitted file
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeVirustotal: Detection: 66%Perma Link
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeReversingLabs: Detection: 84%
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeJoe Sandbox ML: detected
            Sample uses string decryption to hide its real strings
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeString decryptor: 87.120.116.179
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeString decryptor: 1300
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeString decryptor: <123456789>
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeString decryptor: <Xwormmm>
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeString decryptor: 07-01-25
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeString decryptor: USB.exe
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49731 -> 87.120.116.179:1300
            Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 87.120.116.179:1300 -> 192.168.2.4:49731
            Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49731 -> 87.120.116.179:1300
            Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 87.120.116.179:1300 -> 192.168.2.4:49731
            Source: Network trafficSuricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49731 -> 87.120.116.179:1300
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: 87.120.116.179
            Source: global trafficTCP traffic: 192.168.2.4:49731 -> 87.120.116.179:1300
            Source: Joe Sandbox ViewIP Address: 87.120.116.179 87.120.116.179
            Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: unknownTCP traffic detected without corresponding DNS query: 87.120.116.179
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, 00000000.00000002.4115104583.00000000027B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Contains functionality to log keystrokes (.Net Source)
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, XLogger.cs.Net Code: KeyboardLayout

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, type: SAMPLEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe.430000.0.unpack, type: UNPACKEDPEMatched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
            Source: 0.0.17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe.430000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.1652628694.0000000000432000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeCode function: 0_2_00007FFD9B8767160_2_00007FFD9B876716
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeCode function: 0_2_00007FFD9B8774C20_2_00007FFD9B8774C2
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeCode function: 0_2_00007FFD9B8728000_2_00007FFD9B872800
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, 00000000.00000000.1652643319.000000000043C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename25.exe4 vs 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeBinary or memory string: OriginalFilename25.exe4 vs 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, type: SAMPLEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe.430000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
            Source: 0.0.17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe.430000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.1652628694.0000000000432000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@1/0@0/1
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeMutant created: NULL
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\TaFKGPojYyrTF6N2
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeVirustotal: Detection: 66%
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeReversingLabs: Detection: 84%
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: avicap32.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: msvfw32.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains method to dynamically call methods (often used by packers)
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
            .NET source code contains potential unpacker
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, Messages.cs.Net Code: Memory
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeCode function: 0_2_00007FFD9B8729F8 pushad ; retf 0_2_00007FFD9B8729D1
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeCode function: 0_2_00007FFD9B8729F8 push eax; iretd 0_2_00007FFD9B872A11
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeCode function: 0_2_00007FFD9B872858 pushad ; retf 0_2_00007FFD9B8729D1
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeCode function: 0_2_00007FFD9B871552 push E95B0E36h; ret 0_2_00007FFD9B871599
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeCode function: 0_2_00007FFD9B87168D push ebx; retf 0_2_00007FFD9B8716AA
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeMemory allocated: A60000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeMemory allocated: 1A7B0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeWindow / User API: threadDelayed 645Jump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeWindow / User API: threadDelayed 9212Jump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe TID: 6016Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe TID: 2200Thread sleep count: 645 > 30Jump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe TID: 2200Thread sleep count: 9212 > 30Jump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, 00000000.00000002.4116380285.000000001B770000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllre&
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Found potential dummy code loops (likely to delay analysis)
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess Stats: CPU usage > 42% for more than 60s
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeProcess token adjusted: DebugJump to behavior
            Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
            Source: C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Stealing of Sensitive Information

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe.430000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1652628694.0000000000432000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4115104583.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe PID: 2784, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected XWorm
            Source: Yara matchFile source: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe.430000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.1652628694.0000000000432000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4115104583.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe PID: 2784, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		1
            Input Capture            		211
            Security Software Discovery            		Remote Services1
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts232
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Process Discovery            		Remote Desktop Protocol11
            Archive Collected Data            		1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
            Deobfuscate/Decode Files or Information            		Security Account Manager232
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Obfuscated Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Software Packing            		LSA Secrets13
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe66%VirustotalBrowse
            17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe84%ReversingLabsByteCode-MSIL.Spyware.AsyncRAT
            17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe100%AviraTR/Spy.Gen
            17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            87.120.116.1790%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            87.120.116.179true
            • Avira URL Cloud: safe
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe, 00000000.00000002.4115104583.00000000027B1000.00000004.00000800.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              87.120.116.179
              		unknownBulgaria
              		25206UNACS-AS-BG8000BurgasBGtrue

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1585883
              Start date and time:2025-01-08 12:41:08 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 6m 11s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:5
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@1/0@0/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 99%
              • Number of executed functions: 4
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Override analysis time to 240000 for current running targets taking high CPU consumption

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information

              Simulations

              Behavior and APIs

              TimeTypeDescription
              06:42:00API Interceptor13938715x Sleep call for process: 17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              87.120.116.179173349054689897a42ce4a1face346760a1e1ea6ee459f1c43651627f7c7690c5adf7c1298500.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                173347741090e23c9ebd2c4b604c71623763cbce99aec650e3f9e27d35f4f3dcf6f1064415652.dat-decoded.exeGet hashmaliciousXWormBrowse
                  1733477410ba2e5b8e1739578ed6933c4e69d66a81049f523c11599f36b2f5da870a31538a881.dat-decoded.exeGet hashmaliciousXWormBrowse
                    17334774117b7343420a7b9efab7c5b1abd0627c7af1c91f9947163684497ce841bf5f9198533.dat-decoded.exeGet hashmaliciousXWormBrowse
                      17334769266ba75a70859e94894e9fae5c33bba300e2b004c1166d236dc1ab2c8ff5669916631.dat-decoded.exeGet hashmaliciousXWormBrowse

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        UNACS-AS-BG8000BurgasBGInquiry List.docGet hashmaliciousDarkVision RatBrowse
                        • 87.120.113.91
                        3lhrJ4X.exeGet hashmaliciousLiteHTTP BotBrowse
                        • 87.120.126.5
                        XClient.exeGet hashmaliciousXWormBrowse
                        • 87.120.125.47
                        file.exeGet hashmaliciousDcRat, JasonRATBrowse
                        • 87.120.113.91
                        009274965.lnkGet hashmaliciousDarkVision RatBrowse
                        • 87.120.113.91
                        hoEtvOOrYH.exeGet hashmaliciousSmokeLoaderBrowse
                        • 87.120.115.216
                        rebirth.arm4t.elfGet hashmaliciousGafgytBrowse
                        • 87.120.113.63
                        rebirth.spc.elfGet hashmaliciousGafgytBrowse
                        • 87.120.113.63
                        rebirth.sh4.elfGet hashmaliciousGafgytBrowse
                        • 87.120.113.63
                        rebirth.arm5.elfGet hashmaliciousGafgytBrowse
                        • 87.120.113.63

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):5.608075830349173
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                        • Win32 Executable (generic) a (10002005/4) 49.75%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Windows Screen Saver (13104/52) 0.07%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        File name:17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe
                        File size:36'864 bytes
                        MD5:506987876a3908a73a4ec4cf833b2d10
                        SHA1:5ee1f2493856ab91825da0bdbf79137c3d3b444a
                        SHA256:b27eff9adc64ac2a4f6d56c592d5e9de6df5f1b2f33a49a8e915fd0997723e27
                        SHA512:787fcdcde5a8b9afb31759344ef5f0a8f9824f1e9cebbc177f64fe0633caa4ee5ba761599a50adb3a25cb30896da84dfc64f7380a2aaf17ca9d2833605927256
                        SSDEEP:768:gL13A5Uno9RfHWa2BbUeo8icH1bxbFb9ETOMhwQXvk:exA5Uno9JHWXAeNicH1bBFb9ETOM66k
                        TLSH:64F24C48BBA04216D9ED6BF5A97372020674D613DD17EB4E4CD48ADB6F27BC08D013EA
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....}g................................. ........@.. ....................................@................................

                        File Icon

                        Icon Hash:90cececece8e8eb0

                        Static PE Info

                        General

                        Entrypoint:0x40a5de
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x677D1905 [Tue Jan 7 12:07:33 2025 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0xa58c0x4f.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc0000x4c8.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xe0000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000x85e40x8600acc4f4d398953bbc45129d14813c731bFalse0.49889225746268656data5.745043921155186IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0xc0000x4c80x600303ba3178b4b2f813a09ec4e008200afFalse0.373046875data3.687734251775919IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0xe0000xc0x2000a3a083968c42d8366b2de0e8564a094False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0xc0a00x234data0.4734042553191489
                        RT_MANIFEST0xc2d80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2025-01-08T12:42:15.803123+01002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:42:15.976511+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:42:16.036018+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:42:18.840759+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:42:18.840759+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:42:29.750749+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:42:29.752522+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:42:43.554334+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:42:43.556711+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:42:48.837995+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:42:48.837995+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:42:57.313061+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:42:57.315192+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:43:06.704387+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:43:06.706840+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:43:09.378168+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:43:09.380816+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:43:16.781972+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:43:16.789547+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:43:18.859879+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:43:18.859879+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:43:19.689665+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:43:19.691865+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:43:33.491176+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:43:33.556679+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:43:35.780030+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:43:35.786760+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:43:35.906697+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:43:35.912007+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:43:45.830562+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:43:45.832622+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:43:45.999137+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:43:46.001359+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:43:48.853468+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:43:48.853468+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:43:56.555480+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:43:56.580305+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:43:59.425000+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:43:59.445801+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:44:01.734823+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:01.755076+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:44:03.891133+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:03.893711+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:44:08.251131+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:08.253314+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:44:17.094719+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:17.097907+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:44:18.847889+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:18.847889+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:21.859598+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:21.862692+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:44:25.829593+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:25.851923+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:44:26.953517+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:26.955787+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:44:39.827635+01002853193ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:44:39.893258+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:39.896453+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:44:40.979242+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:40.980183+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:40.980314+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:40.980631+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:40.981388+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:44:42.203629+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:42.205450+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:44:43.985726+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:43.987899+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:44:48.871998+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:48.871998+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:54.134629+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:44:54.139484+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:04.529450+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:04.532556+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:04.641734+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:04.643625+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:07.766514+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:07.768250+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:08.467022+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:08.481228+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:09.022136+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:09.024816+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:10.284382+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:10.286351+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:10.378004+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:10.379637+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:10.471389+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:10.473336+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:15.944543+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:15.946406+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:16.060212+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:16.061817+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:16.153471+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:16.155225+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:16.246792+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:16.248382+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:17.362645+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:17.367103+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:18.857506+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:18.857506+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:26.630233+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:26.630478+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:26.636800+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:27.158005+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:27.173554+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:28.862246+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:28.866943+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:33.326770+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:33.329331+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:38.422408+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:38.424618+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:42.486325+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:42.488888+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:42.582624+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:42.584840+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:47.252720+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:47.259034+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:48.842491+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:48.842491+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:49.061135+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:49.061135+01002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:52.672281+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:52.681561+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:53.532837+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:53.541560+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:57.829595+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:57.831861+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:57.923639+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:57.925465+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:58.017084+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:45:58.018502+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:58.111497+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:45:58.116301+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:46:03.000817+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:46:03.005568+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:46:03.582731+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:46:03.584643+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP
                        2025-01-08T12:46:05.115458+01002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes187.120.116.1791300192.168.2.449731TCP
                        2025-01-08T12:46:05.120593+01002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.44973187.120.116.1791300TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Jan 8, 2025 12:42:01.846834898 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:42:01.851749897 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:42:01.851819038 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:42:02.019031048 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:42:02.023834944 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:42:15.803122997 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:42:15.808135033 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:42:15.976511002 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:42:16.026812077 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:42:16.036017895 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:42:16.040884972 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:42:18.840759039 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:42:18.889885902 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:42:29.577862024 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:42:29.582825899 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:42:29.750749111 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:42:29.752521992 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:42:29.757306099 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:42:43.358886957 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:42:43.363737106 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:42:43.554333925 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:42:43.556710958 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:42:43.561491013 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:42:48.837995052 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:42:48.889841080 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:42:57.140126944 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:42:57.144931078 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:42:57.313060999 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:42:57.315191984 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:42:57.320051908 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:06.531024933 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:06.535831928 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:06.704386950 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:06.706840038 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:06.711625099 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:09.205529928 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:09.210298061 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:09.378168106 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:09.380815983 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:09.385667086 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:16.608903885 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:16.613671064 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:16.781971931 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:16.789546967 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:16.799221039 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:18.859879017 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:18.908236027 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:19.515794039 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:19.520688057 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:19.689665079 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:19.691864967 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:19.697928905 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:33.318911076 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:33.323730946 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:33.491175890 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:33.546058893 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:33.556679010 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:33.561548948 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:35.437208891 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:35.442063093 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:35.468388081 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:35.473174095 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:35.780030012 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:35.786760092 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:35.791517019 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:35.906697035 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:35.912007093 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:35.916805983 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:45.640476942 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:45.645262957 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:45.765265942 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:45.830562115 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:45.830619097 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:45.832622051 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:45.837425947 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:45.999136925 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:46.001358986 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:46.007215977 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:48.853467941 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:48.937541962 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:56.374628067 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:56.379569054 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:56.555480003 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:56.580305099 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:56.585104942 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:59.251960993 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:59.256721973 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:59.424999952 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:43:59.445801020 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:43:59.450669050 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:01.562148094 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:01.567065954 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:01.734822989 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:01.755075932 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:01.760000944 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:03.718242884 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:03.723145008 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:03.891133070 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:03.893711090 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:03.898597956 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:08.077682018 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:08.082892895 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:08.251131058 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:08.253314018 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:08.258086920 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:16.921380997 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:16.926254988 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:17.094718933 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:17.097907066 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:17.102698088 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:18.847888947 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:19.046088934 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:21.687309980 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:21.692140102 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:21.859597921 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:21.862692118 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:21.867516994 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:25.656212091 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:25.661000013 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:25.829592943 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:25.851922989 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:25.856734037 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:26.780720949 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:26.785542965 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:26.953516960 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:26.955786943 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:26.960608006 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:39.718221903 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:39.723098993 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:39.827635050 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:39.832487106 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:39.893258095 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:39.896452904 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:39.901282072 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:40.979242086 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:40.980182886 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:40.980309010 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:40.980314016 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:40.980428934 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:40.980631113 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:40.980740070 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:40.981388092 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:40.989074945 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:42.030828953 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:42.035644054 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:42.203629017 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:42.205450058 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:42.210308075 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:43.812006950 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:43.816903114 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:43.985726118 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:43.987899065 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:43.992659092 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:48.871998072 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:49.046123028 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:53.952688932 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:53.957631111 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:54.134629011 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:44:54.139483929 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:44:54.144335985 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:04.312418938 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:04.360743999 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:04.468451023 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:04.473239899 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:04.529449940 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:04.532556057 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:04.537331104 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:04.641733885 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:04.643625021 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:04.648468018 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:07.593369961 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:07.598567009 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:07.766514063 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:07.768249989 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:07.773046017 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:08.280832052 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:08.285769939 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:08.467021942 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:08.481228113 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:08.486079931 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:08.815630913 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:08.820528030 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:09.022135973 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:09.024816036 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:09.030921936 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:10.108892918 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:10.113841057 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:10.140538931 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:10.145385027 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:10.218261003 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:10.223193884 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:10.284382105 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:10.286350965 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:10.291137934 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:10.378004074 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:10.379637003 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:10.384392023 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:10.471389055 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:10.473335981 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:10.478096008 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:15.750282049 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:15.755141973 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:15.796741962 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:15.801558018 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:15.874635935 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:15.879492998 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:15.905772924 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:15.910644054 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:15.944542885 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:15.946405888 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:15.993280888 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:16.060211897 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:16.061816931 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:16.066586018 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:16.153470993 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:16.155225039 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:16.160043955 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:16.246792078 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:16.248382092 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:16.253264904 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:17.189559937 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:17.194403887 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:17.362644911 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:17.367103100 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:17.371933937 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:18.857506037 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:18.936747074 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:26.202706099 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:26.207653046 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:26.630233049 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:26.630477905 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:26.630830050 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:26.636800051 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:26.641602993 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:26.985552073 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:26.990392923 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:27.158004999 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:27.173553944 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:27.178431034 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:28.689562082 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:28.694453955 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:28.862246037 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:28.866942883 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:28.871735096 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:33.153202057 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:33.158122063 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:33.326770067 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:33.329330921 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:33.334172964 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:38.249561071 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:38.254513025 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:38.422408104 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:38.424618006 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:38.429454088 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:42.312395096 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:42.317284107 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:42.358947992 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:42.363807917 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:42.486325026 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:42.488888025 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:42.493760109 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:42.582623959 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:42.584840059 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:42.589608908 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:47.077883005 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:47.082758904 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:47.252720118 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:47.259033918 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:47.263900042 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:48.842490911 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:49.061135054 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:49.063944101 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:52.499741077 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:52.504689932 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:52.672281027 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:52.681560993 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:52.686358929 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:53.187817097 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:53.360480070 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:53.532836914 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:53.541559935 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:53.546355963 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:57.655812979 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:57.660732985 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:57.687000036 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:57.691890001 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:57.718281984 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:57.723047972 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:57.749490023 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:57.754323006 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:57.765086889 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:57.769854069 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:57.829595089 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:57.831861019 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:57.836695910 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:57.923639059 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:57.925465107 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:57.930329084 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:58.017083883 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:58.018501997 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:58.023318052 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:58.110071898 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:58.111496925 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:58.116254091 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:45:58.116301060 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:45:58.121124029 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:46:02.827691078 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:46:02.832638979 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:46:03.000817060 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:46:03.005568027 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:46:03.010396957 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:46:03.409565926 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:46:03.414463043 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:46:03.582731009 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:46:03.584642887 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:46:03.589436054 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:46:04.844408989 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:46:04.947642088 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:46:05.115458012 CET13004973187.120.116.179192.168.2.4
                        Jan 8, 2025 12:46:05.120593071 CET497311300192.168.2.487.120.116.179
                        Jan 8, 2025 12:46:05.125386953 CET13004973187.120.116.179192.168.2.4

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:06:41:57
                        Start date:08/01/2025
                        Path:C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Users\user\Desktop\17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d812142896.dat-decoded.exe"
                        Imagebase:0x430000
                        File size:36'864 bytes
                        MD5 hash:506987876A3908A73A4EC4CF833B2D10
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1652628694.0000000000432000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1652628694.0000000000432000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                        • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.4115104583.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:false

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:21.5%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:3
                          Total number of Limit Nodes:0
                          execution_graph 4695 7ffd9b871c0c 4696 7ffd9b871c0f SetWindowsHookExW 4695->4696 4698 7ffd9b871cc1 4696->4698

                          Executed Functions

                          Function 00007FFD9B872800 Relevance: 2.4, Strings: 1, Instructions: 1142COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 0 7ffd9b872800-7ffd9b87a693 2 7ffd9b87a6dd-7ffd9b87a6f0 0->2 3 7ffd9b87a695-7ffd9b87a6a0 call 7ffd9b8705c0 0->3 4 7ffd9b87a6f2-7ffd9b87a70f 2->4 5 7ffd9b87a766 2->5 7 7ffd9b87a6a5-7ffd9b87a6da 3->7 8 7ffd9b87a76b-7ffd9b87a780 4->8 11 7ffd9b87a711-7ffd9b87a761 call 7ffd9b879360 4->11 5->8 7->2 14 7ffd9b87a782-7ffd9b87a794 call 7ffd9b8705d0 8->14 15 7ffd9b87a799-7ffd9b87a7ae 8->15 33 7ffd9b87b339-7ffd9b87b347 11->33 14->33 22 7ffd9b87a7e1-7ffd9b87a7f6 15->22 23 7ffd9b87a7b0-7ffd9b87a7dc 15->23 30 7ffd9b87a809-7ffd9b87a81e 22->30 31 7ffd9b87a7f8-7ffd9b87a804 call 7ffd9b878340 22->31 23->33 38 7ffd9b87a864-7ffd9b87a879 30->38 39 7ffd9b87a820-7ffd9b87a823 30->39 31->33 44 7ffd9b87a87b-7ffd9b87a87e 38->44 45 7ffd9b87a8ba-7ffd9b87a8cf 38->45 39->5 41 7ffd9b87a829-7ffd9b87a834 39->41 41->5 42 7ffd9b87a83a-7ffd9b87a85f call 7ffd9b8705a8 call 7ffd9b878340 41->42 42->33 44->5 46 7ffd9b87a884-7ffd9b87a88f 44->46 52 7ffd9b87a8d1-7ffd9b87a8d4 45->52 53 7ffd9b87a8fc-7ffd9b87a911 45->53 46->5 48 7ffd9b87a895-7ffd9b87a8b5 call 7ffd9b8705a8 call 7ffd9b872850 46->48 48->33 52->5 56 7ffd9b87a8da-7ffd9b87a8f7 call 7ffd9b8705a8 call 7ffd9b872858 52->56 61 7ffd9b87a9fd-7ffd9b87aa12 53->61 62 7ffd9b87a917-7ffd9b87a977 call 7ffd9b870530 53->62 56->33 71 7ffd9b87aa14-7ffd9b87aa17 61->71 72 7ffd9b87aa31-7ffd9b87aa46 61->72 62->5 103 7ffd9b87a97d-7ffd9b87a9b5 call 7ffd9b878350 62->103 71->5 75 7ffd9b87aa1d-7ffd9b87aa27 call 7ffd9b872830 71->75 78 7ffd9b87aa68-7ffd9b87aa7d 72->78 79 7ffd9b87aa48-7ffd9b87aa4b 72->79 81 7ffd9b87aa2b-7ffd9b87aa2c 75->81 88 7ffd9b87aa7f-7ffd9b87aa98 78->88 89 7ffd9b87aa9d-7ffd9b87aab2 78->89 79->5 82 7ffd9b87aa51-7ffd9b87aa63 call 7ffd9b872830 79->82 81->33 82->33 88->33 94 7ffd9b87aab4-7ffd9b87aacd 89->94 95 7ffd9b87aad2-7ffd9b87aae7 89->95 94->33 101 7ffd9b87aae9-7ffd9b87ab02 95->101 102 7ffd9b87ab07-7ffd9b87ab1c 95->102 101->33 107 7ffd9b87ab1e-7ffd9b87ab21 102->107 108 7ffd9b87ab45-7ffd9b87ab5a 102->108 103->5 123 7ffd9b87a9bb-7ffd9b87a9da call 7ffd9b878360 103->123 107->5 109 7ffd9b87ab27-7ffd9b87ab40 107->109 112 7ffd9b87ab60-7ffd9b87abd8 108->112 113 7ffd9b87abfa-7ffd9b87ac0f 108->113 109->33 112->5 148 7ffd9b87abde-7ffd9b87abf5 112->148 120 7ffd9b87ac11-7ffd9b87ac22 113->120 121 7ffd9b87ac27-7ffd9b87ac3c 113->121 120->33 131 7ffd9b87ac42-7ffd9b87ac5d 121->131 132 7ffd9b87acdc-7ffd9b87acf1 121->132 123->81 133 7ffd9b87a9dc-7ffd9b87a9f8 123->133 137 7ffd9b87acf3-7ffd9b87ad04 132->137 138 7ffd9b87ad09-7ffd9b87ad1e 132->138 133->33 137->33 146 7ffd9b87ad20-7ffd9b87ad5a call 7ffd9b870ec0 call 7ffd9b879360 138->146 147 7ffd9b87ad5f-7ffd9b87ad74 138->147 146->33 152 7ffd9b87ae1b-7ffd9b87ae30 147->152 153 7ffd9b87ad7a-7ffd9b87ae16 call 7ffd9b870ec0 call 7ffd9b879360 147->153 148->33 158 7ffd9b87aebe-7ffd9b87aed3 152->158 159 7ffd9b87ae36-7ffd9b87ae39 152->159 153->33 169 7ffd9b87aee7-7ffd9b87aefc 158->169 170 7ffd9b87aed5-7ffd9b87aee2 call 7ffd9b879360 158->170 161 7ffd9b87aeb3-7ffd9b87aeb8 159->161 162 7ffd9b87ae3b-7ffd9b87ae46 159->162 174 7ffd9b87aeb9 161->174 162->161 165 7ffd9b87ae48-7ffd9b87aeb1 call 7ffd9b870ec0 call 7ffd9b879360 162->165 165->174 180 7ffd9b87aefe-7ffd9b87af38 call 7ffd9b870ec0 call 7ffd9b879360 169->180 181 7ffd9b87af3d-7ffd9b87af52 169->181 170->33 174->33 180->33 188 7ffd9b87afdd-7ffd9b87aff2 181->188 189 7ffd9b87af58-7ffd9b87af69 181->189 199 7ffd9b87aff4-7ffd9b87aff7 188->199 200 7ffd9b87b032-7ffd9b87b047 188->200 189->5 197 7ffd9b87af6f-7ffd9b87af7f call 7ffd9b8705a0 189->197 209 7ffd9b87af81-7ffd9b87afb6 call 7ffd9b879360 197->209 210 7ffd9b87afbb-7ffd9b87afd8 call 7ffd9b8705a0 call 7ffd9b8705a8 call 7ffd9b872808 197->210 199->5 204 7ffd9b87affd-7ffd9b87b02d call 7ffd9b870598 call 7ffd9b8705a8 call 7ffd9b872808 199->204 211 7ffd9b87b08d-7ffd9b87b0a2 200->211 212 7ffd9b87b049-7ffd9b87b088 call 7ffd9b879020 call 7ffd9b877f20 call 7ffd9b872810 200->212 204->33 209->33 210->33 229 7ffd9b87b0a4-7ffd9b87b107 call 7ffd9b870ec0 call 7ffd9b879360 211->229 230 7ffd9b87b10c-7ffd9b87b121 211->230 212->33 229->33 230->33 247 7ffd9b87b127-7ffd9b87b241 call 7ffd9b878370 call 7ffd9b878380 call 7ffd9b878390 call 7ffd9b8783a0 call 7ffd9b872140 call 7ffd9b8783b0 call 7ffd9b878380 call 7ffd9b878390 230->247 286 7ffd9b87b243-7ffd9b87b247 247->286 287 7ffd9b87b2b2-7ffd9b87b2c7 call 7ffd9b870ec0 247->287 288 7ffd9b87b249-7ffd9b87b29a call 7ffd9b8783c0 call 7ffd9b8783d0 286->288 289 7ffd9b87b2c8-7ffd9b87b338 call 7ffd9b8705b0 call 7ffd9b879360 286->289 287->289 302 7ffd9b87b29f-7ffd9b87b2a8 288->302 289->33 302->287
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.4117176602.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffd9b870000_17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d81.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID: 0-3916222277
                          • Opcode ID: 0d5683642bbe02d992f26ad6a81d94f49116e4db90b676aeb4fbd3121a226205
                          • Instruction ID: 3666c949ee7b9cfe0510275ab97bd384c0f4274f115198168317be82ebd54fc0
                          • Opcode Fuzzy Hash: 0d5683642bbe02d992f26ad6a81d94f49116e4db90b676aeb4fbd3121a226205
                          • Instruction Fuzzy Hash: CB72A530B1D50D8FEBA4FB7884A6ABA72D2EF9C304B514578D41EC32D6DE38E9429741
                          Function 00007FFD9B876716 Relevance: .5, Instructions: 472COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 358 7ffd9b876716-7ffd9b876723 359 7ffd9b87672e-7ffd9b8767f7 358->359 360 7ffd9b876725-7ffd9b87672d 358->360 364 7ffd9b876863 359->364 365 7ffd9b8767f9-7ffd9b876802 359->365 360->359 367 7ffd9b876865-7ffd9b87688a 364->367 365->364 366 7ffd9b876804-7ffd9b876810 365->366 368 7ffd9b876812-7ffd9b876824 366->368 369 7ffd9b876849-7ffd9b876861 366->369 373 7ffd9b87688c-7ffd9b876895 367->373 374 7ffd9b8768f6 367->374 371 7ffd9b876828-7ffd9b87683b 368->371 372 7ffd9b876826 368->372 369->367 371->371 375 7ffd9b87683d-7ffd9b876845 371->375 372->371 373->374 376 7ffd9b876897-7ffd9b8768a3 373->376 377 7ffd9b8768f8-7ffd9b8769a0 374->377 375->369 378 7ffd9b8768dc-7ffd9b8768f4 376->378 379 7ffd9b8768a5-7ffd9b8768b7 376->379 388 7ffd9b8769a2-7ffd9b8769ac 377->388 389 7ffd9b876a0e 377->389 378->377 380 7ffd9b8768bb-7ffd9b8768ce 379->380 381 7ffd9b8768b9 379->381 380->380 383 7ffd9b8768d0-7ffd9b8768d8 380->383 381->380 383->378 388->389 390 7ffd9b8769ae-7ffd9b8769bb 388->390 391 7ffd9b876a10-7ffd9b876a39 389->391 392 7ffd9b8769f4-7ffd9b876a0c 390->392 393 7ffd9b8769bd-7ffd9b8769cf 390->393 398 7ffd9b876aa3 391->398 399 7ffd9b876a3b-7ffd9b876a46 391->399 392->391 394 7ffd9b8769d3-7ffd9b8769e6 393->394 395 7ffd9b8769d1 393->395 394->394 397 7ffd9b8769e8-7ffd9b8769f0 394->397 395->394 397->392 400 7ffd9b876aa5-7ffd9b876b36 398->400 399->398 401 7ffd9b876a48-7ffd9b876a56 399->401 409 7ffd9b876b3c-7ffd9b876b4b 400->409 402 7ffd9b876a8f-7ffd9b876aa1 401->402 403 7ffd9b876a58-7ffd9b876a6a 401->403 402->400 404 7ffd9b876a6e-7ffd9b876a81 403->404 405 7ffd9b876a6c 403->405 404->404 407 7ffd9b876a83-7ffd9b876a8b 404->407 405->404 407->402 410 7ffd9b876b53-7ffd9b876bb8 call 7ffd9b876bd4 409->410 411 7ffd9b876b4d 409->411 418 7ffd9b876bbf-7ffd9b876bd2 410->418 419 7ffd9b876bba 410->419 411->410 419->418
                          Memory Dump Source
                          • Source File: 00000000.00000002.4117176602.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffd9b870000_17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d81.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: c98f59b71af073c8ad8b33e2c8b08fa091e33ba618723805f5e76921c6f1d8b1
                          • Instruction ID: 93c9e1a4986ce40e5f8aacf53fea16fa190af739f07724d59c4b53d13bc0edf5
                          • Opcode Fuzzy Hash: c98f59b71af073c8ad8b33e2c8b08fa091e33ba618723805f5e76921c6f1d8b1
                          • Instruction Fuzzy Hash: BBF1C570A08A8D8FEBA8DF28C8557E977E1FF58314F04426EE84DC7295DF34A9458B81
                          Function 00007FFD9B8774C2 Relevance: .5, Instructions: 458COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 420 7ffd9b8774c2-7ffd9b8774cf 421 7ffd9b8774d1-7ffd9b8774d9 420->421 422 7ffd9b8774da-7ffd9b8775a7 420->422 421->422 426 7ffd9b877613 422->426 427 7ffd9b8775a9-7ffd9b8775b2 422->427 429 7ffd9b877615-7ffd9b87763a 426->429 427->426 428 7ffd9b8775b4-7ffd9b8775c0 427->428 430 7ffd9b8775c2-7ffd9b8775d4 428->430 431 7ffd9b8775f9-7ffd9b877611 428->431 435 7ffd9b87763c-7ffd9b877645 429->435 436 7ffd9b8776a6 429->436 432 7ffd9b8775d8-7ffd9b8775eb 430->432 433 7ffd9b8775d6 430->433 431->429 432->432 437 7ffd9b8775ed-7ffd9b8775f5 432->437 433->432 435->436 438 7ffd9b877647-7ffd9b877653 435->438 439 7ffd9b8776a8-7ffd9b8776cd 436->439 437->431 440 7ffd9b87768c-7ffd9b8776a4 438->440 441 7ffd9b877655-7ffd9b877667 438->441 446 7ffd9b8776cf-7ffd9b8776d9 439->446 447 7ffd9b87773b 439->447 440->439 442 7ffd9b87766b-7ffd9b87767e 441->442 443 7ffd9b877669 441->443 442->442 445 7ffd9b877680-7ffd9b877688 442->445 443->442 445->440 446->447 449 7ffd9b8776db-7ffd9b8776e8 446->449 448 7ffd9b87773d-7ffd9b87776b 447->448 456 7ffd9b87776d-7ffd9b877778 448->456 457 7ffd9b8777db 448->457 450 7ffd9b877721-7ffd9b877739 449->450 451 7ffd9b8776ea-7ffd9b8776fc 449->451 450->448 453 7ffd9b877700-7ffd9b877713 451->453 454 7ffd9b8776fe 451->454 453->453 455 7ffd9b877715-7ffd9b87771d 453->455 454->453 455->450 456->457 458 7ffd9b87777a-7ffd9b877788 456->458 459 7ffd9b8777dd-7ffd9b8778b5 457->459 460 7ffd9b8777c1-7ffd9b8777d9 458->460 461 7ffd9b87778a-7ffd9b87779c 458->461 469 7ffd9b8778bb-7ffd9b8778ca 459->469 460->459 463 7ffd9b8777a0-7ffd9b8777b3 461->463 464 7ffd9b87779e 461->464 463->463 466 7ffd9b8777b5-7ffd9b8777bd 463->466 464->463 466->460 470 7ffd9b8778d2-7ffd9b877934 call 7ffd9b877950 469->470 471 7ffd9b8778cc 469->471 478 7ffd9b87793b-7ffd9b87794e 470->478 479 7ffd9b877936 470->479 471->470 479->478
                          Memory Dump Source
                          • Source File: 00000000.00000002.4117176602.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffd9b870000_17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d81.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 3c1aaf456899821fe1f6838f70e61140e3994b538b70c76b52b1196491bba5d8
                          • Instruction ID: e04845ae627ae96c3b7c20bb674a5568be78eb8b58de3f440e16cac692ad1069
                          • Opcode Fuzzy Hash: 3c1aaf456899821fe1f6838f70e61140e3994b538b70c76b52b1196491bba5d8
                          • Instruction Fuzzy Hash: 20E1B430A09A4D8FEBA8DF68C8A57E977D1EF58310F04426ED84DC72A5DF74A941CB81
                          Function 00007FFD9B871C0C Relevance: 1.6, APIs: 1, Instructions: 123COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 313 7ffd9b871c0c-7ffd9b871c6d 317 7ffd9b871c73-7ffd9b871c78 313->317 318 7ffd9b871cf9-7ffd9b871cfd 313->318 320 7ffd9b871c7f-7ffd9b871c80 317->320 319 7ffd9b871c82-7ffd9b871cbf SetWindowsHookExW 318->319 321 7ffd9b871cc1 319->321 322 7ffd9b871cc7-7ffd9b871cf8 319->322 320->319 321->322
                          APIs
                          Memory Dump Source
                          • Source File: 00000000.00000002.4117176602.00007FFD9B870000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B870000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7ffd9b870000_17363364631bc7418009f735fbf6670730f0df5be418dd7fb7bf7e79b36349f3b17d81.jbxd
                          Similarity
                          • API ID: HookWindows
                          • String ID:
                          • API String ID: 2559412058-0
                          • Opcode ID: a692d5e80ee20fd7949d2d41c8cf9bef36d3b94aac1aa014aa6754642987b2f4
                          • Instruction ID: db6d10f1e0bb332fd0167f75be3c1ea01235b48e5133703cada4ef10e4c5f8ce
                          • Opcode Fuzzy Hash: a692d5e80ee20fd7949d2d41c8cf9bef36d3b94aac1aa014aa6754642987b2f4
                          • Instruction Fuzzy Hash: BC31E631A1CA1C8FDB5CEF5C985A6F977E1EB99311F10427EE01DD3291CA61A85287C1